Ransomware is a type of malware that blocks a victim’s access to their data until a ransom is paid. While not as common as phishing, ransomware is still a major threat to individuals and organisations worldwide. In 2021, more than a third of organisations globally suffered an attempted ransomware attack.
2021 saw 623.3 million ransomware attacks worldwide, an increase of 105% over 2020 figures. This can partly be explained as businesses continued to experience issues adapting networks and supply chains for remote and hybrid work. These are not all successful attacks, but rather attempted breaches.
In 2022, the volume of ransomware attacks dropped 23%, indicating that increased government scrutiny and general awareness of the dangers are having an effect.
However, attack methods are evolving. ‘Traditional’ ransomware techniques involved encrypting target data and charging victims a fee for the decryption key. Now, cyber criminals are threatening to release or sell the data if the ransom isn’t paid in so-called ‘double-extortion’ schemes.
Further extortion methods include Denial of Service attacks and harassment via email or phone. The use of all 4 techniques at the same time is rare.
Average ransomware demands have also seen dramatic increases in recent years. In 2021, the average ransomware payment rose 82% from 2020 to a record $570,000. This is after a 171% increase in 2020 to over $312,000.
High-profile ransomware attacks have highlighted the sophistication of modern cyber attacks and the dangers facing both organisations and individuals. In 2021, US-based meat production manufacturer JBS paid $11 million in ransom after an attack compromised its operations.
The cost of ransomware extends beyond the payment of the ransom. 20% of the costs are attributed to brand reputation damage.
However, this brand damage means reported ransomware infections may not reflect the actual number of successful attacks – organisations are keen to avoid bad publicity and the associated costs.
Therefore, estimating the number of successful ransomware attacks (attacks that resulted either in data leaks or ransom payments) is difficult. Analysis of websites known to be used by threat actors identified 2252 incidents in 2021, and a further 1858 from January to June 2022.
Between May 2021 and June 2022, there have been an estimated 3640 successful ransomware attacks globally. As mentioned above, these ransomware statistics use publically reported figures; it is likely more ransomware victims haven’t reported breaches in security.
This supports the results from the research of 900 senior non-technical employees (CEOs, VPs and Directors). The research found that just 42% of companies would report a ransomware attack to both law enforcement and a cyber security incident response service.
60% believe that the media are exaggerating the threat that a potential ransomware attack poses. However, 64% have already been victims of at least one ransomware attack, of which 79% paid the ransomware group.
Of the 64% that have previously been attacked, 88% said they would pay the ransom again if attacked. In the same study, ransomware ranked the highest for the probability of attack at 66%, tied with data theft and ahead of cyber sabotage (62%), supply chain attacks (60%) and DDoS (60%).
Ransomware trends 2023
Ransomware is intrinsically linked with phishing
The latest ransomware statistics make it clear that phishing is the primary delivery method for ransomware. A recent report found that 75% of 1400 organisations surveyed suffered a ransomware attack, highlighting its continued prevalence in the business world. We offer more insights into the risks of phishing in our phishing statistics guide.
Of the 26% of respondents that had experienced a ‘significant’ increase in the number of email threats received in the last year, 88% were victimised by ransomware. This is far higher than the organisations whose email threats did not significantly increase, of which 65% experienced ransomware.
Rather than specifically stealing data with ransomware through phishing, the main aim of the initial phishing attack is to steal credentials. A study of 2249 social engineering incidents found that 63% resulted in compromised credentials, ahead of internal data (32%) and personal data (21%).
Using credentials means hackers can access internal networks as a ‘legitimate’ user. They can potentially escalate their attack undetected and deliver ransomware from within the network, encrypting and removing data before internal teams can respond.
The REvil ransomware group accounted for around 37% of all ransomware attacks committed in 2021. Formed in 2019, the gang operated for 31 months, operating REvil as ransomware-for-service that allowed criminals to use the software on a subscription basis.
The REvil group shut down in October 2021, making it one of the longest-running ransomware gangs – the average gang either shuts down or rebrands after 17 months.
During that time, REvil ransomware was used against thousands of businesses and individuals globally. This included an attack in 2020 on then-President Donald Trump, threatening the release of sensitive documents if a $42 million ransom wasn’t paid. It is not clear whether they actually had hacked any data relating to the President.
One high-profile attack occurred in 2021, when REvil claimed they had stolen data relating to new products by Apple, including schematics for an upcoming Macbook Pro. The group demanded $50 million as ransom.
Phishing appeared to be the primary delivery method for REvil ransomware. IBM’s X-Force observed that incidents involving REvil in 2021 often started with a ‘QakBot’ phishing email. This email would have a message urging the target to resolve an unpaid invoice or something similar. In some instances, hackers would hijack ongoing conversations to insert a malicious link.
When opened, the target would be instructed to unknowingly enable the QakBot banking trojan to be dropped into a system. REvil threat actors could then take command of the operation, conducting reconnaissance and then attempting to compromise data.
- In the first half of 2022, there were around 236.1 million ransomware attacks globally.
- During 2021, at least 15.45% of internet users worldwide experienced at least 1 malware-class attack, which includes ransomware.
- Kaspersky reported that ransomware attacks were defeated on 366,256 unique user computers in 2021.
- Ransomware accounted for around 20% of cyber breaches in 2022. For comparison, using stolen credentials (hacking) accounted for 40% of breaches in 2022, and phishing accounts for around 20%.
- The incident rate for ransomware attacks was lower in the US (7%) compared to the worldwide average (37%) in 2022.
- Just 13% of organisations reported suffering a ransomware attack and not paying the ransom in 2022.
- The FBI reported an increase in the number of ransomware attacks during holidays and over the weekends (days that the FBI offices are closed).
- The FBI’s Internet Crime Complaint Centre (IC3) reported receiving 2084 complaints relating to ransomware incidents between January-July 2021, with losses amounting to $16.8 million.
- At least 130 different ransomware families have been uncovered. Gandcrab is the most active family, with 78.5% of reported attacks attributed to it.
- The top 10 countries most affected by ransomware attacks are:
- South Korea
- Focusing on just organisations, the top 5 most affected countries are:
- USA (47%)
- Italy (8%)
- Australia (8%)
- Brazil (6%)
- Germany (6%)
- 93.28% of detected ransomware files are Windows-based executables. The next most common file type is Android, at 2.09%.
- Ransomware accounted for 4% of cyber breaches in UK businesses in 2022.
- The most common entry point for ransomware attacks is through phishing, with 41%.
- Between 2020-2021, there was a 33% increase in the number of ransomware attacks caused by vulnerability exploitation.
- June experienced the most ransomware attacks in 2021, at 33% – this is a decrease on 2020 figures, where 50% of ransomware attacks that year happened in June.
- The top attack type against businesses in the manufacturing industry was ransomware in 2021, with hackers using this type in 23% of observed attacks. This was ahead of server access attacks (12%) and business email compromise (10%).
- In 2022, the UK-based National Cyber Security Centre co-ordinated responses to 18 high-profile ransomware attacks, including against the NHS 111 non-emergency number and South Staffordshire Water.
- 90% of ransomware attacks either fail or result in zero losses for the victim.
Notable ransomware attacks
Costa Rica ransomware attacks 2022
A series of ransomware attacks were launched against the Costa Rican government in 2022, forcing a national emergency to be declared as critical systems were crippled.
There were two attacks. The first occurred from mid-April until May, with the digital tax service and IT systems relating to customs control as the main targets. According to estimates, 800 servers and several terabytes of information in the finance ministry were also impacted.
Due to the encryption of data and systems relating to customs control, trade in and out of the country was crippled. Losses from import and export businesses are estimated somewhere between $38 million and $125 million per day.
The ransomware group ‘Conti’ claimed responsibility for these attacks, demanding a $10 million ransom to avoid the data being leaked online.
The second attack targeted the Costa Rican Social Security Fund, which handles the country’s health service. More than half of the servers were impacted, forcing doctors to reschedule 7% of appointments in the first week following the attack.
A group using ‘HIVE’ ransomware were blamed for the second attack. HIVE has some links to Conti.
What is ransomware?
Ransomware is software that prevents an organisation from accessing its data until a ransom is paid. Examples include trojan viruses that copy the contents of a folder into a password-protected file and delete the original data, and the password is only given when a ransom is paid.
More sophisticated methods allow cyber criminals to encrypt an organisation’s entire data infrastructure. An encryption key is provided once the ransom is paid.
How does ransomware work?
Ransomware works by blocking an organisation or individual’s access to their data. This happens either through software that encrypts the data, or the data is moved to another location.
In either case, access is only granted once a ransom has been paid. The sensitivity of the data that is stored in an organisation, such as personal employee details and intellectual property, means many pay the ransom to prevent further damage.
Ransomware is also successful against organisations as the attack can cripple their ability to function. By blocking access to important files and programs, staff cannot work, freezing or severely impacting operations.
This type of attack is also difficult to trace. Ransomware payments are usually made with cryptocurrencies, which are designed to be difficult to track.
How is ransomware spread?
Ransomware is spread primarily through phishing. Cyber criminals send genuine-looking emails that prompt the target to follow a link or download a file. This then installs the ransomware on the device.
What is the WannaCry ransomware attack?
The WannaCry ransomware attack was a global cyber breach in 2017 that saw more than 200,000 computers in over 150 countries affected.
WannaCry was malicious software that targeted a vulnerability in unpatched versions of the Windows operating system. The hacking group known as ‘The Shadow Brokers’ exposed this vulnerability, which was called ‘EternalBlue’ and had allegedly been developed by the US National Security Agency.
Microsoft released a patch that removed the EternalBlue vulnerability. However, a lack of awareness or education on the importance of updating software meant many organisations and individuals worldwide ignored this patch.
As such, the impact of WannaCry was devastating, infecting hundreds of thousands of computer systems across the globe. The ransomware attackers encrypted data on the affected machines, demanding the victims pay the attackers $300 in Bitcoin to avoid having their data deleted.
WannaCry is estimated to have caused over $4 billion in damages worldwide. In the UK, the NHS had to cancel 19,000 appointments, costing the health service around £92 million.
What is DarkSide ransomware?
‘DarkSide’ is a hacking group that distributes ransomware-as-a-service (RaaS). This ransomware is rented on a subscription basis to other hackers (known as ‘affiliates’) with the original developers receiving a percentage of any profits gained from its deployment.
DarkSide emerged in August 2020, and has since been used in damaging attacks against organisations. On 7th May 2021, DarkSide forced Colonial Pipeline, a major gasoline pipeline running across east coast of the US, to cease operations after the ransomware encrypted critical computer systems.
Despite the ransom of 75 bitcoins (around $4.4 million) being paid quickly, operations were still affected and caused a state of emergency to be declared in 18 states to deal with petrol shortages.
Law enforcement agencies launched an operation to recover the ransom. Since then, $2.2 million in bitcoin has been found linked to individuals using DarkSide ransomware.
How often do ransomware attacks occur?
In just the first half of 2022, there were 236.1 million ransomware attacks worldwide. Through 2021, there were 623.3 million ransomware attacks globally. This doesn’t mean every attack was successful, but it does highlight the prevalence of this cyber threat.
How many people are affected by ransomware?
Data breaches through ransomware can affect anyone. While ransomware groups typically target organisations as more lucrative targets, around 3700 individuals fell victim to successful ransomware attacks in 2021. This amounted to $49.2 million being stolen from internet users throughout the year.
IDC, Palo Alto Networks, JBS, Statista, SonicWall, Accenture, ENISA, Kaspersky, Mimecast, Verizon, IBM, NBC News, The Guardian, VirusTotal, FBI, UK government, CPS, Cybersecurity and Infrastructure Security Agency, Trend Micro, CNN, Surfshark, Wired
Browse more articles from our experts and discover how to make better use of IT in your business.
The Best Cloud Tools For Law Firms
Law firms are under pressure to reduce costs and increase efficiency. The cloud offers scalable, cost-effective computer resources for firms, ensuring lawyers can work productively both in the office and…
The Future of Law Firms: How Digital Transformation Will Affect the Legal Sector
Some firms may not see the value in digital transformation, but this attitude presents real threats to firms and data. Digital transformation is the best opportunity for law firms to…